mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-30 08:41:15 +00:00
LibJS: Let RegExp.string get RegExp.prototype from the global object directly
We can't assume that RegExp on the global object is still the original constructor, or an object at all. This makes '--RegExp<</<</</,/</x/' work. :^) Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29740
This commit is contained in:
parent
d0c5979d96
commit
f9b1a9e60c
Notes:
sideshowbarker
2024-07-18 22:46:02 +09:00
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/f9b1a9e60cf Pull-request: https://github.com/SerenityOS/serenity/pull/5167
|
@ -137,9 +137,8 @@ JS_DEFINE_NATIVE_GETTER(RegExpPrototype::source)
|
|||
if (!this_object)
|
||||
return {};
|
||||
|
||||
// FIXME: This is obnoxious - we should have an easier way of looking up %RegExp.prototype%.
|
||||
auto& regexp_prototype = global_object.get(vm.names.RegExp).as_object().get(vm.names.prototype).as_object();
|
||||
if (this_object == ®exp_prototype)
|
||||
auto* regexp_prototype = global_object.regexp_prototype();
|
||||
if (this_object == regexp_prototype)
|
||||
return js_string(vm, "(?:)");
|
||||
|
||||
auto regexp_object = regexp_object_from(vm, global_object);
|
||||
|
|
Loading…
Reference in a new issue